Ask Vera anything about your compliance program. She scans your infrastructure, writes policies grounded in what's real, traces claims to signed evidence, and reports in Slack at 6:30 AM. SOC 2, HIPAA, and more.
27+
agent tools
489+
native checks
70%
evidence automated
$499
per month
Real prompts. Real tool calls. Same agent that runs your daily 6 AM evidence checks and posts the Slack briefing before standup.
New threadDaily autonomous work
06:00 evidence checks
Cross-framework reuse
SOC 2 · HIPAA · ISO 27001
Policy risk caught
Overpromise checker
Evidence integrity
Signed · timestamped · BYOK
Scans, not connection points
Vera reads your real systems — branch protection rules, IAM policies, MFA enforcement, encryption settings — and produces evidence mapped to SOC 2, HIPAA, ISO 27001, and CIS Benchmarks. One scan, multi-framework reuse.
AWS
Google Cloud
Azure
Cloudflare
GitHub
GitLab
Bitbucket
Vercel
Okta
Auth0
JumpCloud
Google Workspace
1Password
Datadog
CrowdStrike
Sentry
Wiz
Tailscale
Slack
Microsoft Teams
Jira
Linear
Notion
StripeAWSGoogle CloudAzureCloudflareGitHubGitLabBitbucketVercelOktaAuth0JumpCloudGoogle Workspace1PasswordDatadogCrowdStrikeSentryWizTailscaleSlackMicrosoft TeamsJiraLinearNotionStripeStripeNotionLinearJiraMicrosoft TeamsSlackTailscaleWizSentryCrowdStrikeDatadog1PasswordGoogle WorkspaceJumpCloudAuth0OktaVercelBitbucketGitLabGitHubCloudflareAzureGoogle CloudAWSStripeNotionLinearJiraMicrosoft TeamsSlackTailscaleWizSentryCrowdStrikeDatadog1PasswordGoogle WorkspaceJumpCloudAuth0OktaVercelBitbucketGitLabGitHubCloudflareAzureGoogle CloudAWSHow it works
Connect once. Vera scopes the program, generates policies grounded in your real systems, and tracks readiness daily — without a consultant in the loop.
GitHub, AWS, and Okta — linked in the onboarding wizard.
Auto-generated control matrix with N/A justifications.
Policies written from scan results, claims highlighted.
6:30 AM Slack briefing. Readiness tracked continuously.
What we solve
Screenata is built around the six failure modes that make first-time compliance take six months and cost $80K instead of six weeks and $3K — across SOC 2, HIPAA, and the frameworks behind them.
Founders log into a GRC dashboard, get overwhelmed, close the tab, and ship product. Vera comes to you in Slack at 6:30 AM, by DM for evidence requests, and by email for auditor questions. The dashboard is for auditors, not your daily work.
Every GRC platform starts with templates. Founders approve language like 'quarterly access reviews' they've never run. Auditors catch it. Audits fail. Vera scans GitHub, AWS, and Okta first, then writes from what's real — and the overpromise checker flags claims you can't prove.
Every other platform automates monitoring but leaves collection to humans. Someone screenshots SSO, exports access logs, uploads pen test reports. Months of CTO time. Vera collects 70% automatically, guides 9% with step-by-step flows, captures 9% via screenshots, and ingests the last 5% from Slack DMs and forwarded emails. Zero controls require a dashboard upload.
Auditors ask: 'Your policy says you enforce MFA. Prove it.' Most platforms link evidence to controls — that's it. Screenata links a specific sentence in a policy to a testable claim, to the control test that verifies it, to the evidence submission, to a signed vault artifact. Click any claim and follow the chain.
First-time SOC 2: auditor ($15K) + vCISO ($60K over 6 months) + GRC platform ($10K). For a 10-person startup, this is crippling — and most of the vCISO's hours are repeatable, template-driven work. $499/month replaces that orchestration layer. Auditor stays independent.
Most audits are point-in-time. Continuous compliance requires months of fresh evidence, ongoing access reviews, and patched vulns. Most startups pass once and let the program decay. Vera's agents scan weekly, check freshness daily, and run quarterly access reviews automatically. Compliance keeps running while you ship.
Multi-channel agent
The chat SDK abstracts Slack, email, web, queue, and MCP into a single adapter. Same agent, same tools, same context — different surfaces. Universal email at {org-slug}@screenata.com classifies sender intent and routes to the right control.
6:30 AM briefings. DM evidence requests with auto-classification on file drop.
Forward auditor questions to {org-slug}@screenata.com. Sender-aware intent classification routes the rest.
screenata status, screenata audit check, screenata evidence submit. Pipes into Claude Code.
PR compliance reviews, repo scans on push, risk-register sync from Issues. Read-only by design.
Open a failing control. Vera already knows the ref, the linked tests, and the stale evidence — she suggests "re-run the MFA check" before you've typed anything. Every page hands Vera the context she needs. No copy-pasting IDs.
24 hours of Vera
Scheduled jobs trigger agents — they only invoke the LLM when there's actual work to do. No token-burning heartbeats. Compare to a Vanta dashboard nobody has opened in three days.
Evidence Agent
Checks freshness across 489+ controls. Flags items past 90 days. Drafts re-collection messages.
Readiness Snapshot
Computes per-framework readiness. Compares to yesterday. Identifies blockers vs warnings.
Slack briefing
Founder gets a 4-line summary. Action buttons inline. Escalation: 4h → DM, 24h → email, 48h → banner.
Weekly cloud scan
20 native providers. AWS (159), Azure (98), Kubernetes (79), M365 (78), GCP (55), GitHub (20). Findings hashed and stored.
Repository Agent
Branch protection verified. Secrets scanning ran on three repos. Code never persisted.
Vendor discovered from package.json
Stripe added. Auto-researched SOC 2 Type II + DPA. Risk tier classified. Assessment drafted for review.
PR compliance review
PR #482 modifies auth code. Linked to CC6.1. Comment posted with policy claim and verification suggestion.
Briefing
Readiness 87% (+3). Access review evidence collected. S3 encryption fixed. New finding: stale CloudTrail.
Closed-loop remediation
Vera doesn't stop at 'we found something.' She opens the ticket, drafts the fix, asks for approval in Slack, applies it, and closes the loop. Other platforms tell you what's wrong. Vera fixes it — with your sign-off, every time.
01AWS scan
Weekly cloud scan · Mon 9 AM
Defect detected
S3 bucket logs-archive missing encryption
03Jira ticket opened
JIRA-482 · CC6.6 · priority high
Vera drafts the fix
Enable AES-256 + KMS · diff attached
05Slack approval
Posted to #compliance · 2 reviewers tagged
Fix applied. Closed.
Evidence captured & signed
Every step is logged, every change is permissioned, and you approve from Slack — not a dashboard. High-risk operations (IAM modifications, policy approvals) always require explicit human sign-off.
Policies from infrastructure
policy-context.service.ts assembles 15–25KB of structured context — IdP config, IAM policies, branch protection, existing evidence — before generation. The overpromise checker runs on the output and flags hard commitments unsupported by what we found.
Acme Corp enforces multi-factor authentication through Okta for all administrative access to production systems. verified
Production access is reviewed quarterly by the security team to remove stale entitlements. overpromise
Vera flagged this claim
No quarterly access review evidence found in the last 12 months across Okta and GitHub. Choose: soften to "periodic reviews as needed", or commit to quarterly and let me schedule them as agent-managed operations.
Claim → proof chain
No other GRC platform structures this chain. Vanta and Drata link evidence to controls. Screenata links a specific sentence in a policy to a testable claim, to the control test that verifies it, to the submission, to a signed vault artifact you can verify outside Screenata.
Policy sentence
Administrative access requires MFA through Okta.
Access Control Policy / §3.2
Policy claim
MFA enforced for admin accounts
CC6.1 · IA-2 · IMPLEMENTED
Control test
Okta MFA policy verification
Native API check · 24h freshness
Evidence artifact
Signed Okta API response
SHA-256 + RFC 3161 timestamp
Evidence collection
Other platforms automate monitoring and leave collection to humans. Screenata closes the loop — including the long tail. Forward an auditor email or drop a file in Slack DM and the system classifies it, stores it in secure cloud storage, and links it to the right control.
Fully automated
API scans, internal reports, policy linking, native compliance checks across 20 providers.
Guided collection
Step-by-step flows with AI coaching. The system records results as you work.
Automated screenshots
Browser extension records workflows; vision LLM scores quality before submission.
Inbox-ingested
Forward an email or drop a file in Slack DM. Auto-classified, stored in secure cloud storage, linked to the right control.
20 native providers
AWS · Azure · GCP · Kubernetes · M365 · GitHub · Okta · Workspace · Slack · Datadog · CrowdStrike · Snyk · plus more.
489+ deep checks
Each mapped to SOC 2, HIPAA, ISO 27001, CIS, and NIST 800-53 — not shallow connection points.
Freshness lifecycle
Fresh → stale at 90d → expired at 120d. Evidence Agent watches and triggers re-collection.
Developer-native
The enterprise API, screenata CLI, GitHub App, and MCP server are one architecture. Every tool hits the same API. Compliance-as-code, not yet another tab.
$
PR compliance review
GitHub App posts on PRs that touch sensitive code. Surface the policy claim affected. Status check passes alongside CI.
MCP server
Connect Screenata in Claude Code, Cursor, or Windsurf. Ask 'what's our SOC 2 readiness?' from inside your editor.
Audit pre-flight gate
screenata audit check returns exit 0 / 1. Wire it into CI to stop a release that breaks a compliance assumption.
Slack-first workflow
Vera posts daily readiness in your #compliance channel, flags blockers, delegates evidence requests by DM, and ingests files dropped right back at her. The dashboard is for auditors. This is for your team.
compliance
8 members · pinned: SOC 2 program
Daily compliance briefing · Mon Apr 28
Weekly cloud scan · 489 checks
Trust architecture
Two recent collapses — one platform shipping boilerplate as audit reports, another leaking confidential drafts in a public spreadsheet — broke trust in the category. Screenata answers with architecture, not adjectives. See the full security architecture →
Cloud provider keys live in Azure Key Vault. Workspace + provider keyed.
We never request write permissions on your cloud or repos. When Vera detects a config issue, she sends manual guidance with a direct link — no auto-fix, no write API calls.
Source files are read into memory for secrets and pattern matching, findings stored, source deleted. Never persisted to a database or object store.
Per-file SHA-256, RSA or ECDSA signatures, RFC 3161 timestamps from six TSAs with fallback. eIDAS-compatible.
Evidence is signed with three modes: platform default, AES-256-GCM encrypted customer key, or AWS/GCP/Azure KMS. Enterprise-verifiable.
Workspace context is enforced on every database query, with foreign keys enforcing the hierarchy. No cross-tenant leakage possible.
Where we sit
Vanta and Drata are dashboards from a previous decade. Screenata puts continuous compliance into Slack, your PRs, your terminal, and the auditor's inbox — every surface a developer already touches.
Vanta launched its "Agentic Trust Platform" in November 2025. Drata followed. The agents are workflow automation with AI augmentation. Ask either to show you their agent doing something without a human clicking a button.
Pricing math
The honest comparison is auditor + vCISO + GRC platform. Auditor stays independent. We replace the orchestration layer that's driving most of the cost.
Questions
Concrete architecture, real workflows, and proof over category claims.
Vanta and Drata are dashboards a human compliance person works inside. Screenata is the compliance person. Vera scans your infrastructure, writes policies from what's real, collects evidence, runs scheduled checks at 6 AM, and delivers everything through Slack, email, GitHub, and your terminal. The dashboard exists for auditors and deep dives — the daily work happens where you already are.
Yes. Daily 6:00 AM evidence freshness checks, daily 6:15 AM readiness snapshots, weekly Monday cloud and code scans, quarterly access reviews, and annual risk refreshes all run on scheduled jobs. Vera flags stale evidence, drafts delegation messages, scopes remediation, and posts agent reports. You approve actions; you don't run them.
Screenata scans first, then writes. We pull context from GitHub, AWS or GCP, your IdP, existing evidence, and your company profile, then generate policies grounded in what we found. The overpromise checker flags hard commitments (like 'quarterly access reviews') we cannot verify in evidence, before you ever ship them to an auditor.
Yes. Each claim in a policy is anchored to a specific sentence and linked to the control test that verifies it. Each test has its evidence submissions, and each submission references a cryptographically signed artifact. An auditor can hover any claim in a policy, see the test that proves it, and verify the evidence package independently with a signed manifest.
Evidence exports are tamper-evident: SHA-256 per-file hashes, RSA or ECDSA digital signatures, RFC 3161 independent timestamps, and BYOK support so enterprises can sign with their own keys. We're publishing the format as an open spec with a free verify CLI so anyone can check a Screenata pack without an account.
Yes — Slack is a first-class surface, not a notification channel. Vera posts daily readiness briefings in your #compliance channel at 6:30 AM, DMs teammates for evidence with step-by-step instructions, and accepts file drops directly in Slack — auto-classifying, signing, and routing them to the right control. Slash commands and approval blocks are built in. The dashboard exists for auditors and deep dives; daily compliance work happens where your team already talks.
Yes. Every artifact is mapped to specific Trust Services Criteria or HIPAA safeguards, signed with SHA-256 + RFC 3161 timestamps, and traceable from policy claim → control test → submission → vault artifact. Auditors get a structured pack — not a folder of screenshots — and can verify integrity independently with a free CLI. We design the output for what auditors actually look for in fieldwork: completeness, attribution, freshness, and tamper evidence.
SOC 2 and HIPAA today, with more on the way. Our control model uses a shared canonical catalog so a single MFA scan satisfies SOC 2 CC6.1 and HIPAA §164.312(d) at the same time — and the same scan will map to ISO 27001 and other frameworks as we add them. You collect evidence once instead of paying for each framework separately.
Connect and see
Connect GitHub and cloud read-only. Vera shows your control matrix, policy gaps, stale evidence, and prioritized next actions before you commit to anything.